If you have Let’s Encrypt certificates for all of your sites going through CloudFlare, you can turn on “Full (Strict)” in CloudFlare. “Strict” requires that your server have a valid, trusted certificate, such as one issued from Let’s Encrypt, however there is still a decrypt-and-reencrypt step on CloudFlare’s servers.

If you have any site using a self-signed certificate, use “Full”; data is still encrypted between CloudFlare and your servers, but CloudFlare will happily accept the untrusted certificate your server is using. Again, as with “Full (strict)”, data is still decrypted and then reencrypted on CloudFlare’s servers.

The “Flexible” option says that CloudFlare should offer its certificates to encrypt data between your visitors and CloudFlare’s systems, but CloudFlare will not encrypt communications to your servers. Since you have certificates now, you don’t need to use this anymore (and really didn’t before, either, as you could have just quickly generated a self-signed certificate).

Essentially the infinite redirect loop issue comes down to the fact that Flexible SSL is in use. When Flexible SSL is being used, the connection from the origin to CloudFlare is under plaintext HTTP. As such, the server cannot use ordinary methods to determine whether the connection is under HTTP or HTTPS (such as checking the SSL environment variable). As such you get stuck in a redirect loop.

If a web browser might visit it (even just to follow the redirect to the other site), it can show an error if the certificate isn’t valid, so it was correct to ask for certificates including for names used only to redirect.

You can inspect the certificate (if you have a copy as a file) or from inside a web browser (if you bypass CloudFlare or switch it off temporarily) to see the list of “Subject Alternative Names” which should match the list of names you requested, unless something went wrong. If you look at a Cloudflare certificate, it will be for many different names (Cloudflare saves money / effort by sharing the certificates on their cheap/ free plan between several customers) and issued from Comodo rather than Let’s Encrypt.

You can also find your certificate in a Log Monitor, such as https://crt.sh/ by typing in a name you know, and view the list of Subject Alternative Names in crt.sh’s view of the certificate.

Having only a single IP means that browser visitors to your site must use SNI (Server Name Indication) to say which site they expected to visit. Any modern browser is capable of this, worry only if you need to make it work for very old systems such as Windows XP, very old Android phones, or similar, or if you need to make it work with a special piece of third party software that you know can’t do SNI. Even without SNI, things will work perfectly so long as you use only one certificate on the IP address, for all the names it answers for; the purpose of SNI is to select a certificate, and if you’ve only got one there’s no selection to make so no problem.